Compare for duplicates before logging object exists errors

[nrb]

When restoring resources that raise an already exists error, check their
equality before logging a message on the restore. If they're the same
except for some metadata, don't generate a message.

The restore process was modified so that if an object had an empty
namespace string, no namespace key is created on the object. This was to
avoid manipulating the copy of the current cluster's object by adding
the target namespace.

There are some cases right now that are known to not be equal via this
method:

• The default ServiceAccount in a namespace will not match, primarily
  because of differing default tokens. These will be handled in their own
  patch
• IP addresses for Services are recorded in the backup object, but are
  either not present on the cluster object, or different. An issue for
  this already exists at Should service action (restore) remove all node ports from a service? #354
• Endpoints have differing values for renewTime. This may be
  insubstantial, but isn't currently handled by the resetMetadataAndStatus
  function.
• PersistentVolume objects in the backup have a claimRef section,
  while those in cluster do not.

Signed-off-by: Nolan Brubaker nolan@heptio.com

[nrb]

@skriss Should we perhaps wrap or append to the error message here to say that the object exists and differs from the backup, so it's more clear what's happened?

[skriss]

yeah probably makes sense to wrap

[skriss]

need to handle error

[skriss]

need to handle error

[skriss]

probably makes sense to do a ctx.infof(...) here stating that the object already exists with matching state in-cluster

[skriss]

yeah probably makes sense to wrap

[ncdc]

its

[ncdc]

I'm not sure we need the comment about errors?

[ncdc]

I think we need a small function that takes 2 objects and tells us if they're equal. Ideally it should just return a bool, although it may need to return (bool, error) because resetMetadataAndStatus can return an error.

We could have another function that retrieves fromCluster and then calls the helper above.

[nrb]

That makes sense. Perhaps resolveConflict would be the top level that gets fromCluster, cleans it up, and passes it down?

[ncdc]

Note: if you need to format an error string, do errors.Errorf

[ncdc]

I would probably omit the format string and just return errors.WithStack(err)

[ncdc]

I would probably omit the format string and just return err

[ncdc]

This is where I'd return false

[nrb]

Would you return false, nil with a (bool, err) return signature?

[ncdc]

Yes

[ncdc]

Assuming this returns (bool, err), I'd store it in a different error to differentiate from the already-exists error. I would log the error that comes back from this call, if we get one. Then, if we got an error here, or the bool return value is false (objects not equal), call addToResult.

Here's my thinking: if we run into any problems trying to determine equality, it's better to record those problems in the restore log file, and record the conflict in the restore result warnings. Would you agree?

[nrb]

Yeah, I think I would - I actually had resolveConflict returning (bool, err) initially, but changed it to error only as I was only switching on error states. I was also doing _, restoreErr := resourceClient.Create(obj) in order to keep it separate.

I'll return to that structure.

[ncdc]

This needs to be ctx.infof so it goes into the restore log file.

[ncdc]

Do you think we need this log line?

[nrb]

I'm not particularly attached to it. Fine with deleting it.

[ncdc]

What does this error text end up looking like - do you have an example?

[nrb]

Here's a snippet from a restore:

Warnings:
  Ark:        <none>
  Cluster:  persistentvolumes "pvc-c5c8bb8c-3758-11e8-a959-42010a960060" already exists and backup does not match.
            persistentvolumes "pvc-f07ce647-336d-11e8-9d79-42010a96006f" already exists and backup does not match.
  Namespaces:
    default:        services "kubernetes" already exists and backup does not match.
    kube-system:    endpoints "kube-controller-manager" already exists and backup does not match.
                    endpoints "kube-scheduler" already exists and backup does not match.
                    services "default-http-backend" already exists and backup does not match.
                    services "heapster" already exists and backup does not match.
                    services "kube-dns" already exists and backup does not match.
                    services "kubernetes-dashboard" already exists and backup does not match.
    nginx-example:  services "my-nginx" already exists and backup does not match.

[ncdc]

Thanks

[ncdc]

Please add a comment indicating that if we get here, we got some error other than already-exists

[ncdc]

return equality.Semantic.DeepEqual(fromBackup, fromCluster), nil

[ncdc]

I don't think we need to pass in restoreErr any more?

[ncdc]

Sorry for going back and forth on this, but I'm wondering if it would just be clearer to move the Get() into the IsAlreadyExists block and get rid of this helper. WDYT?

[nrb]

My very first pass did that. The reason I named this function resolveConflict was because I envisioned adding more complex cases like service accounts there later. That way, the resolution was mostly out of the IsAlreadyExists block.

Doing the Get() in the block seems reasonable to me, and some function that contains different actions or policy checks added when it's needed.

[ncdc]

I'm thinking of something like this:

equal := false

if fromCluster, err := resourceClient.Get(obj.GetName(), metav1.GetOptions{}); err == nil {
  equal, err = objectsAreEqual(fromCluster, obj)
  if err != nil {
    // Log any errors trying to check equality
    ctx.infof(err.Error())
  }
} else {
  ctx.infof("error getting from-cluster...")
}

if !equal {
  e := fmt.Errorf("%s and backup does not match.", restoreErr)
  addToResult(&warnings, namespace, e)
}

This way, we only call objectsAreEqual if we successfully retrieve fromCluster. No matter what, if we get an error anywhere in here, it gets logged, and we add the warning in all cases unless the objects are equal. WDYT?

[nrb]

Yeah, that makes sense.

[ncdc]

Please run in a subtest: t.Run(test.name, func(t *testing.T) { ... })

[ncdc]

I would check if the obj already has labels and merge if it does.

[ncdc]

It might be worth getting the json output from a real cluster of something like a secret or service or pod and putting that in here as a test case. We have a test helper to convert json to Unstructured.

[nrb]

Will do.

[ncdc]

I'd add a comment that fromCluster is mutated

[ncdc]

We're trying to use errors.Errorf (from github.com/pkg/errors) wherever possible.

[nrb]

@ncdc @skriss Latest comments addressed, PTAL when you can.

[skriss]

Generally looking pretty good to me

[skriss]

I'd probably make this something like ctx.infof("error checking %s for equality: %v", obj.getName(), err)

[skriss]

wordsmithing here, but since this is directly part of the UX it's important to make this super clear - maybe something like " not restored: , and is different than backed-up version." I think it's important to make clear that it wasn't restored, because it already exists, and there's a diff (so the user might want to manually remediate).

[ncdc]

I would remove is copy that

[skriss]

LGTM!